Total
2224 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-49393 | 2 Fetchdesigns, Wordpress | 2 Sign-up Sheets, Wordpress | 2025-11-13 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Fetch Designs Sign-up Sheets sign-up-sheets allows Object Injection.This issue affects Sign-up Sheets: from n/a through <= 2.3.2. | ||||
| CVE-2025-49386 | 1 Wordpress | 1 Wordpress | 2025-11-13 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Scott Reilly Preserve Code Formatting preserve-code-formatting allows Object Injection.This issue affects Preserve Code Formatting: from n/a through <= 4.0.1. | ||||
| CVE-2025-49380 | 3 Woocommerce, Wordpress, Wpinstinct | 3 Woocommerce, Wordpress, Woocommerce Vehicle Parts Finder | 2025-11-13 | 5.3 Medium |
| Deserialization of Untrusted Data vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Object Injection.This issue affects WooCommerce Vehicle Parts Finder: from n/a through <= 3.7. | ||||
| CVE-2025-48086 | 2 Wordpress, Wp-dreams | 2 Wordpress, Ajax Search | 2025-11-13 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in wpdreams Ajax Search Lite ajax-search-lite allows Object Injection.This issue affects Ajax Search Lite: from n/a through <= 4.13.3. | ||||
| CVE-2025-32283 | 1 Wordpress | 1 Wordpress | 2025-11-13 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in designthemes Solar Energy solar allows Object Injection.This issue affects Solar Energy: from n/a through <= 3.5. | ||||
| CVE-2025-31634 | 1 Wordpress | 1 Wordpress | 2025-11-13 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in designthemes Insurance insurance allows Object Injection.This issue affects Insurance: from n/a through <= 3.5. | ||||
| CVE-2025-63617 | 1 Alibaba | 1 Fastjson | 2025-11-12 | 6.5 Medium |
| ktg-mes before commit a484f96 (2025-07-03) has a fastjson deserialization vulnerability. This is because it uses a vulnerable version of fastjson and deserializes unsafe input data. | ||||
| CVE-2025-26397 | 1 Solarwinds | 1 Observability Self-hosted | 2025-11-12 | 7.8 High |
| SolarWinds Observability Self-Hosted is susceptible to Deserialization of Untrusted Data Local Privilege Escalation vulnerability. An attacker with low privileges can escalate privileges to run malicious files copied to a permission-protected folder. This vulnerability requires authentication from a low-level account and local access to the host server. | ||||
| CVE-2025-42944 | 1 Sap | 2 Netweaver, Sap Netweaver | 2025-11-12 | 10 Critical |
| Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability. | ||||
| CVE-2025-5680 | 1 Tongzhouyun | 1 Agilebpm | 2025-11-12 | 6.3 Medium |
| A vulnerability classified as critical was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected by this vulnerability is the function executeScript of the file /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java of the component Groovy Script Handler. The manipulation of the argument script leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-5679 | 1 Tongzhouyun | 1 Agilebpm | 2025-11-12 | 6.3 Medium |
| A vulnerability classified as critical has been found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected is the function parseStrByFreeMarker of the file /src/main/java/com/dstz/sys/rest/controller/SysToolsController.java. The manipulation of the argument str leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-64439 | 2 Langchain, Langchain-ai | 2 Langchain, Langchain | 2025-11-12 | N/A |
| LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 2.1.2 and below, the JsonPlusSerializer (used as the default serialization protocol for all checkpointing) contains a Remote Code Execution (RCE) vulnerability when deserializing payloads saved in the "json" serialization mode. By default, the serializer attempts to use "msgpack" for serialization. However, prior to version 3.0 of the checkpointer library, if illegal Unicode surrogate values caused serialization to fail, it would fall back to using the "json" mode. This issue is fixed in version 3.0.0. | ||||
| CVE-2025-12099 | 2 Academylms, Wordpress | 2 Academy Lms, Wordpress | 2025-11-12 | 7.2 High |
| The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.3.8 via deserialization of untrusted input in the 'import_all_courses' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | ||||
| CVE-2025-2251 | 1 Redhat | 2 Jboss Enterprise Application Platform, Jbosseapxp | 2025-11-11 | 6.2 Medium |
| A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication. | ||||
| CVE-2025-11622 | 1 Ivanti | 1 Endpoint Manager | 2025-11-11 | 7.8 High |
| Insecure deserialization in Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to escalate their privileges. | ||||
| CVE-2021-42237 | 1 Sitecore | 1 Experience Platform | 2025-11-10 | 9.8 Critical |
| Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability. | ||||
| CVE-2025-49712 | 1 Microsoft | 3 Sharepoint Enterprise Server 2016, Sharepoint Server, Sharepoint Server 2010 | 2025-11-10 | 8.8 High |
| Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | ||||
| CVE-2025-53772 | 1 Microsoft | 2 Web Deploy, Web Deploy 4.0 | 2025-11-10 | 8.8 High |
| Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network. | ||||
| CVE-2020-7961 | 1 Liferay | 1 Liferay Portal | 2025-11-07 | 9.8 Critical |
| Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS). | ||||
| CVE-2019-18935 | 1 Telerik | 1 Ui For Asp.net Ajax | 2025-11-07 | 9.8 Critical |
| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.) | ||||